INTRUSION ALONGTHE 

KILL CHAIN 

four 


Tuesday, July 31, 12 





• My name is four 

• I work at facebook 

• I’m obsessed with the problem of intrusion detection 
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.. on the state of things ... 
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. and how well do they work?... 
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VERIZON 


• 7 out of 10 targeted attacks against larger orgs 

• Half of intrusions took months or years to discover 

• Initial attack to compromise: 71 % of the time in minutes or 
less 

• 75% of the time: days or longer to exfil in larger orgs 
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VERIZON 


• Discovery in larger orgs: Half are from 3rd parties. 

• About 1/3: “hay something is weird” 

• “Fraud detection” systems: 5% 

• “Routine log review”: 8% 
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6 % of advanced intrusions 
detected by an internal process 
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maybe the numbers are wron 
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... a glimmer of hope ... 





The art and science of finding actionable deviations between 

normal behavior and attacker behavior 
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Maximize your chance of getting lucky 
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...intrusion events are not binary... 
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ALL EVENTS WELCOME 


1. Snort event for a high confidence dns domain 

2. Malicious PDF sent to a user 

3. Logins for the same user from disparate geolocations 

4. Netflow based alerts for known bad ip addresses 

5. Specific Registry Modifications (i.e. Persistence) 

6. Antivirus Alerts 

7. Snort event for a blank useragent 

8. Windows RDP successful login event 

9. Snort event that alerts on all encrypted outbound traffic 

10. Pcap data, Raw Logs, Netflow, etc. 
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BLACKUSTNG 






IDENTITYTRANSLATION 
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. advanced correlation . 






CORRELATION 


group low confidence events 
to find high confidence events 
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rACK PLANE 




ATTACK PLANE ILLUSTRATED 
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ATTACK PLANE ILLUSTRATED 
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THE K LL CHA N 










Rccon 
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RECAP 


• Love noisy events 

• Reduce noise by blacklists 

• Correlation is your friend 
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CONTEXT 
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CONTEXT 


• Context can speed up analysis 

• Your products aren’t just for making 
events 

• Vendor products are an ecosystem 

• Capabilities can provide events and 
context 



Noisy Event 
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FINALTHOUGHTS 





